AMD microprocessor families 15h to 18h are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

**Information**

Advisory

XSA-407

Public release

2022-07-12 16:35

Updated

2022-07-12 16:35

Version

1

CVE(s)

CVE-2022-23816 CVE-2022-23825 CVE-2022-29900

Title

Retbleed - arbitrary speculative code execution with return instructions

**Files**advisory-407.txt (signed advisory file)  
xsa407.meta  
xsa407/xsa407-1.patch  
xsa407/xsa407-2.patch  
xsa407/xsa407-3.patch  
xsa407/xsa407-4.13-01.patch  
xsa407/xsa407-4.13-02.patch  
xsa407/xsa407-4.13-03.patch  
xsa407/xsa407-4.13-04.patch  
xsa407/xsa407-4.13-05.patch  
xsa407/xsa407-4.13-06.patch  
xsa407/xsa407-4.13-07.patch  
xsa407/xsa407-4.13-08.patch  
xsa407/xsa407-4.13-09.patch  
xsa407/xsa407-4.13-10.patch  
xsa407/xsa407-4.13-11.patch  
xsa407/xsa407-4.13-12.patch  
xsa407/xsa407-4.13-13.patch  
xsa407/xsa407-4.13-14.patch  
xsa407/xsa407-4.13-15.patch  
xsa407/xsa407-4.13-16.patch  
xsa407/xsa407-4.13-17.patch  
xsa407/xsa407-4.13-18.patch  
xsa407/xsa407-4.13-19.patch  
xsa407/xsa407-4.13-20.patch  
xsa407/xsa407-4.13-21.patch  
xsa407/xsa407-4.14-01.patch  
xsa407/xsa407-4.14-02.patch  
xsa407/xsa407-4.14-03.patch  
xsa407/xsa407-4.14-04.patch  
xsa407/xsa407-4.14-05.patch  
xsa407/xsa407-4.14-06.patch  
xsa407/xsa407-4.14-07.patch  
xsa407/xsa407-4.14-08.patch  
xsa407/xsa407-4.14-09.patch  
xsa407/xsa407-4.14-10.patch  
xsa407/xsa407-4.14-11.patch  
xsa407/xsa407-4.14-12.patch  
xsa407/xsa407-4.15-1.patch  
xsa407/xsa407-4.15-2.patch  
xsa407/xsa407-4.15-3.patch  
xsa407/xsa407-4.15-4.patch  
xsa407/xsa407-4.15-5.patch  
xsa407/xsa407-4.15-6.patch  
xsa407/xsa407-4.15-7.patch  
xsa407/xsa407-4.15-8.patch  
xsa407/xsa407-4.16-1.patch  
xsa407/xsa407-4.16-2.patch  
xsa407/xsa407-4.16-3.patch  
xsa407/xsa407-4.16-4.patch  
xsa407/xsa407-4.16-5.patch  
xsa407/xsa407-4.16-6.patch  
xsa407/xsa407-4.16-7.patch  
xsa407/xsa407-4.16-8.patch  
xsa407/xsa407-4.patch  
xsa407/xsa407-5.patch  
xsa407/xsa407-6.patch  
xsa407/xsa407-7.patch  
xsa407/xsa407-8.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407

   Retbleed - arbitrary speculative code execution with return instructions

ISSUE DESCRIPTION
=================

Researchers at ETH Zurich have discovered Retbleed, allowing for
arbitrary speculative execution in a victim context.

For more details, see:
  https://comsec.ethz.ch/retbleed

ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
Intel.

Despite the similar preconditions, these are very different
microarchitectural behaviours between vendors.

On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion).

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

On Intel CPUs, Retbleed is not a new vulnerability; it is only
applicable to software which did not follow Intel's original Spectre-v2
guidance.  Intel are using the ETH Zurich allocated CVE-2022-29901.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

ARM have indicated existing guidance on Spectre-v2 is sufficient.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Whether a CPU is potentially vulnerable depends on its
microarchitecture.  Consult your hardware vendor.

For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults
in XSA-254 and follow-on fixes.  Therefore, the Xen Security Team
believes there are no further changes necessary on these CPUs.
Administrators who deviated from the default mitigations are potentially
affected and should re-evaluate their threat model.

For AMD, CPUs from the Zen2 microarchitecture and earlier are
potentially vulnerable.  Zen3 and later CPUs are not believed to be
vulnerable.

The patches for Xen implement the IBPB-at-entry mitigation.  This
depends on the IBPB microcode distributed by AMD in 2018 as part of the
original Spectre/Meltdown work.  Consult your dom0 OS vendor.

In addition to IBPB, "cross thread" safety is necessary.  On Zen2 CPUs,
Xen uses STIBP by default.  On Zen1 CPUs, SMT needs disabling either in
the firmware, or by passing \`smt=0\` on Xen's command line.  On Fam15h
CPUs, Cluster Multi-Threading needs disabling in firmware.

Due to performance concerns, dom0 is excluded from IBPB-on-entry
protections by default.  This is because PV dom0 is trusted in most
deployments.  If your threat model model doesn't allow for dom0 to be
treated specially, boot with \`spec-ctrl=ibpb-entry\` which will cause
IBPB-on-entry protections to be applied to dom0 too.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

For the 4.15 and 4.16 branches in particular, these patches depend on:

 - x86/spec-ctrl: Only adjust MSR\_SPEC\_CTRL for idle with legacy IBRS
 - x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint
 - xen/cmdline: Extend parse\_boolean() to signal a name match
 - x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives

which have been recently backported.

xsa407/xsa407-?.patch           xen-unstable
xsa407/xsa407-4.16-\*.patch      Xen 4.16.x
xsa407/xsa407-4.15-\*.patch      Xen 4.15.x
xsa407/xsa407-4.14-\*.patch      Xen 4.14.x
xsa407/xsa407-4.13-\*.patch      Xen 4.13.x

$ sha256sum xsa407\* xsa407\*/\*
0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1  xsa407.meta
8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc  xsa407/xsa407-1.patch
5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f  xsa407/xsa407-2.patch
1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013  xsa407/xsa407-3.patch
8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e  xsa407/xsa407-4.13-01.patch
fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946  xsa407/xsa407-4.13-02.patch
9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27  xsa407/xsa407-4.13-03.patch
1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd  xsa407/xsa407-4.13-04.patch
016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008  xsa407/xsa407-4.13-05.patch
cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a  xsa407/xsa407-4.13-06.patch
46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93  xsa407/xsa407-4.13-07.patch
cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a  xsa407/xsa407-4.13-08.patch
55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc  xsa407/xsa407-4.13-09.patch
f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f  xsa407/xsa407-4.13-10.patch
aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191  xsa407/xsa407-4.13-11.patch
e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf  xsa407/xsa407-4.13-12.patch
59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927  xsa407/xsa407-4.13-13.patch
ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0  xsa407/xsa407-4.13-14.patch
d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1  xsa407/xsa407-4.13-15.patch
af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f  xsa407/xsa407-4.13-16.patch
8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501  xsa407/xsa407-4.13-17.patch
1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9  xsa407/xsa407-4.13-18.patch
a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde  xsa407/xsa407-4.13-19.patch
cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a  xsa407/xsa407-4.13-20.patch
0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c  xsa407/xsa407-4.13-21.patch
fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4  xsa407/xsa407-4.14-01.patch
e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2  xsa407/xsa407-4.14-02.patch
69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf  xsa407/xsa407-4.14-03.patch
47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759  xsa407/xsa407-4.14-04.patch
14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8  xsa407/xsa407-4.14-05.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.14-06.patch
85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a  xsa407/xsa407-4.14-07.patch
0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82  xsa407/xsa407-4.14-08.patch
1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd  xsa407/xsa407-4.14-09.patch
4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d  xsa407/xsa407-4.14-10.patch
074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55  xsa407/xsa407-4.14-11.patch
e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949  xsa407/xsa407-4.14-12.patch
61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a  xsa407/xsa407-4.15-1.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.15-2.patch
03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511  xsa407/xsa407-4.15-3.patch
ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600  xsa407/xsa407-4.15-4.patch
aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a  xsa407/xsa407-4.15-5.patch
55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64  xsa407/xsa407-4.15-6.patch
a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17  xsa407/xsa407-4.15-7.patch
ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab  xsa407/xsa407-4.15-8.patch
3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe  xsa407/xsa407-4.16-1.patch
b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522  xsa407/xsa407-4.16-2.patch
825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76  xsa407/xsa407-4.16-3.patch
402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860  xsa407/xsa407-4.16-4.patch
ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf  xsa407/xsa407-4.16-5.patch
4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e  xsa407/xsa407-4.16-6.patch
1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7  xsa407/xsa407-4.16-7.patch
d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de  xsa407/xsa407-4.16-8.patch
c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c  xsa407/xsa407-4.patch
eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4  xsa407/xsa407-5.patch
aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72  xsa407/xsa407-6.patch
cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6  xsa407/xsa407-7.patch
cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3  xsa407/xsa407-8.patch
$

NOTE CONCERNING LACK OF EMBARGO
===============================

The disclosers did not authorise us to predisclose.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx
Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i
WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL
nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1
87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl
XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc=
=CEa6
-----END PGP SIGNATURE-----

Xenproject.org Security Team

CVE-2022-29900: 407 - Xen Security Advisories

Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 12 Jul 2022 16:36:10 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900)
 - Retbleed - arbitrary speculative code execution with return instructions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

 Xen Security Advisory CVE-2022-23816,CVE-2022-23825,CVE-2022-29900 / XSA-407

   Retbleed - arbitrary speculative code execution with return instructions

ISSUE DESCRIPTION
=================

Researchers at ETH Zurich have discovered Retbleed, allowing for
arbitrary speculative execution in a victim context.

For more details, see:
  https://comsec.ethz.ch/retbleed

ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
Intel.

Despite the similar preconditions, these are very different
microarchitectural behaviours between vendors.

On AMD CPUs, Retbleed is one specific instance of a more general
microarchitectural behaviour called Branch Type Confusion.  AMD have
assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
Confusion).

For more details, see:
  https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037

On Intel CPUs, Retbleed is not a new vulnerability; it is only
applicable to software which did not follow Intel's original Spectre-v2
guidance.  Intel are using the ETH Zurich allocated CVE-2022-29901.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

ARM have indicated existing guidance on Spectre-v2 is sufficient.

IMPACT
======

An attacker might be able to infer the contents of arbitrary host
memory, including memory assigned to other guests.

VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Whether a CPU is potentially vulnerable depends on its
microarchitecture.  Consult your hardware vendor.

For ARM and Intel CPUs, Xen implemented the vendor-recommended defaults
in XSA-254 and follow-on fixes.  Therefore, the Xen Security Team
believes there are no further changes necessary on these CPUs.
Administrators who deviated from the default mitigations are potentially
affected and should re-evaluate their threat model.

For AMD, CPUs from the Zen2 microarchitecture and earlier are
potentially vulnerable.  Zen3 and later CPUs are not believed to be
vulnerable.

The patches for Xen implement the IBPB-at-entry mitigation.  This
depends on the IBPB microcode distributed by AMD in 2018 as part of the
original Spectre/Meltdown work.  Consult your dom0 OS vendor.

In addition to IBPB, "cross thread" safety is necessary.  On Zen2 CPUs,
Xen uses STIBP by default.  On Zen1 CPUs, SMT needs disabling either in
the firmware, or by passing \`smt=0\` on Xen's command line.  On Fam15h
CPUs, Cluster Multi-Threading needs disabling in firmware.

Due to performance concerns, dom0 is excluded from IBPB-on-entry
protections by default.  This is because PV dom0 is trusted in most
deployments.  If your threat model model doesn't allow for dom0 to be
treated specially, boot with \`spec-ctrl=ibpb-entry\` which will cause
IBPB-on-entry protections to be applied to dom0 too.

MITIGATION
==========

There are no mitigations.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

For the 4.15 and 4.16 branches in particular, these patches depend on:

 - x86/spec-ctrl: Only adjust MSR\_SPEC\_CTRL for idle with legacy IBRS
 - x86/spec-ctrl: Knobs for STIBP and PSFD, and follow hardware STIBP hint
 - xen/cmdline: Extend parse\_boolean() to signal a name match
 - x86/spec-ctrl: Add fine-grained cmdline suboptions for primitives

which have been recently backported.

xsa407/xsa407-?.patch           xen-unstable
xsa407/xsa407-4.16-\*.patch      Xen 4.16.x
xsa407/xsa407-4.15-\*.patch      Xen 4.15.x
xsa407/xsa407-4.14-\*.patch      Xen 4.14.x
xsa407/xsa407-4.13-\*.patch      Xen 4.13.x

$ sha256sum xsa407\* xsa407\*/\*
0a6dea915dd760afc73c3f50f432422d2e853eecaf99e3cdeb2d6e0fb3ee71b1  xsa407.meta
8894b0dc8e8c0900560366bde766826bf357c8aec3233ed6147f2094633a3cbc  xsa407/xsa407-1.patch
5955614d73b34ebeab45386dbc9dbe5d96c54f7945d22d5de6c645a5b7796a2f  xsa407/xsa407-2.patch
1f901df3a382a547dda6ef4ef088a5cf60a2d2b0382be451b148bf166cf43013  xsa407/xsa407-3.patch
8f75a9eee8ee2a563bc90e493ba1e4ac29335f677a3d2049ec27e138b7e3021e  xsa407/xsa407-4.13-01.patch
fbe3dca8f170dabf61c620ad1dde12898d52521ede59822971f461549323f946  xsa407/xsa407-4.13-02.patch
9a392bca751a6d6b9489b536ffd7e14722f22e44d266631898ec024b1b258e27  xsa407/xsa407-4.13-03.patch
1eae8ece87fc06ca883fc7510b80ced195c3ec44a589fcf464ead076de4d1afd  xsa407/xsa407-4.13-04.patch
016b1a682aa292a380a4fd9c49c65ade0fa7d19ef2f636611d7883d6adb38008  xsa407/xsa407-4.13-05.patch
cc3435e7bf2331a61c6e6731d8c0c4edd10ac49c85c9702e3d790309e1bb494a  xsa407/xsa407-4.13-06.patch
46f7b3d8a4ae39fa325dda2d77091b0768367a3d2cf6a341996042e511e46b93  xsa407/xsa407-4.13-07.patch
cb31c3104890c83fad719c8a2c7b0ae242625132a1e9d6afbf6310af10a8c14a  xsa407/xsa407-4.13-08.patch
55241ce45fb11825f7867ae188d73007c38c63d4a8489d990a8c869e000669dc  xsa407/xsa407-4.13-09.patch
f2d8a64f8446890a055e084f195a9f7c8982915556cefb48dd12b0e798b30a0f  xsa407/xsa407-4.13-10.patch
aa0ed6a1126c4d9d5fc94c00a51ddf27f4357c4a1cb258f72f0c17ac4ce0d191  xsa407/xsa407-4.13-11.patch
e91f244180bd92c111e1c653c22644b8144f3610717dd00347b7f21df75830bf  xsa407/xsa407-4.13-12.patch
59c604f50e0cedac2d5011fdb580aab4d719dbe73d9c50096faae70324864927  xsa407/xsa407-4.13-13.patch
ca1f04eaacf86ac21a4656b8f1ad9ff0b06d5f295bba5ee21e0bbb4698b165c0  xsa407/xsa407-4.13-14.patch
d3ee52d4144b5bb375c1fb7e484b68190632da22e654ab480b73745fe2f23af1  xsa407/xsa407-4.13-15.patch
af4ec1eed3d10ce6795e96216676db581e19e4e65d19ee48679a1230a6c37a2f  xsa407/xsa407-4.13-16.patch
8ee57395139261e09e387775d7f5c36a1fa53f75caff89302167727230250501  xsa407/xsa407-4.13-17.patch
1495ffd28238737bd9ad346e5667065f5acaa82adc86aeceb358be3d3b1469f9  xsa407/xsa407-4.13-18.patch
a02fd749eb761b93fe7b2e5977a9aa493af13044165b71de9e7625c0237c2fde  xsa407/xsa407-4.13-19.patch
cf127677913b8127c9a71b1c9b3badf9f2c2064d1ed2602d236ba610f7335c8a  xsa407/xsa407-4.13-20.patch
0289eb4a9098ab806f5b847e5f55652817b9bb8c9ebc98e28fe8ac626c77f77c  xsa407/xsa407-4.13-21.patch
fde8cafcd3207329a7582a18a333f95e82e5edc54e93e4d7603c62dc262942a4  xsa407/xsa407-4.14-01.patch
e2e7aaf633c2638f4a81eca9e627110b4ad087760b9f4880965093f874b138a2  xsa407/xsa407-4.14-02.patch
69938e6c1293040aff921f2cd6bf2ad850caa682745f0d6be8bc2aabb3802edf  xsa407/xsa407-4.14-03.patch
47d67a565d3077688a43937d7cb6cc79d43a8d5e8563711a1476924c696a9759  xsa407/xsa407-4.14-04.patch
14d15b20e053c7dec2e9dd9cbd108284b0ac2069dac2e5c4e76ab4c78637fbe8  xsa407/xsa407-4.14-05.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.14-06.patch
85b79e26fce7b649ae860f9860925060867004ea1940c1110f5e22354891b66a  xsa407/xsa407-4.14-07.patch
0c292123259319cf110df43ccad50ac5f1396de234d457ed1fbd60462da40d82  xsa407/xsa407-4.14-08.patch
1161d0378a63d79461bfdfdc082bb6e49418f6b356a85048a33f268031a11abd  xsa407/xsa407-4.14-09.patch
4b4c652481abaf49d1531ed5c6b6f91b17ab8ae71fcbb085f4557b661fa74d5d  xsa407/xsa407-4.14-10.patch
074c16f104563ca665ee3af5144b9d3ec5131eea6eb9c5859ba5e2a33051bd55  xsa407/xsa407-4.14-11.patch
e816ea5ea372e4e1429e7191721df9203ee8759a337c91e57d176f2d6a636949  xsa407/xsa407-4.14-12.patch
61382cd7985ac5b3d265a08188cbebdd6916fd150413bb77e5ad452fa98e254a  xsa407/xsa407-4.15-1.patch
cd38bb072a8e99760a80464482d645aba1531fdb4f4d04eabd7c48e2db00c8e1  xsa407/xsa407-4.15-2.patch
03d8a0e18b4e1ffbac268cfc159341b4d641d0322ea77efd22c43e4a4318d511  xsa407/xsa407-4.15-3.patch
ae8e8f220a708401a68535e88a3092b35c3db0a20bd3e3a27cdcc7e88d1ff600  xsa407/xsa407-4.15-4.patch
aba615483add2199ad2912557e0b9024d6efd6573fa8009590502d483a78e63a  xsa407/xsa407-4.15-5.patch
55e58ce88ff7126c314c7e24f75a700a3263388137ecd725d2e459e21c018f64  xsa407/xsa407-4.15-6.patch
a3b146ba37e183d9aec813e66e00a6647835246270d2a9a649724f2570c96c17  xsa407/xsa407-4.15-7.patch
ac33b676c2fc5fdee565701baadddd627e492e85f9ca481d12a510c5fc3ff7ab  xsa407/xsa407-4.15-8.patch
3a3cec31ebb8f0fb41e3804f03318becc2a978d71831cf086f77c7eff89de9fe  xsa407/xsa407-4.16-1.patch
b936a9a36c336d1dcf05923f9a07728522f6a6d1474006ec179981a4787a4522  xsa407/xsa407-4.16-2.patch
825a683f37964186ab669468c517c342dc55b1e86898a75c86f8ff0de47e1b76  xsa407/xsa407-4.16-3.patch
402795d0cb418503c3e90b65f3bf546493a7411d14208ac718ba8639f67d1860  xsa407/xsa407-4.16-4.patch
ec6009b2ddaa74099725844bf4343efb8510015fb851d3ccc26913f877db0bdf  xsa407/xsa407-4.16-5.patch
4fa9c65ee0bdf8650b0cd483c205a305352d918408b91d4adf83c84d1b269b2e  xsa407/xsa407-4.16-6.patch
1c01c1508103de49cc1895a60babe9d33feaa27da8d2bd89c6895c0173e280d7  xsa407/xsa407-4.16-7.patch
d2a4e06959dff5a9772b13d921332804fbaf81f012c0b9cf85f8b9dd008c61de  xsa407/xsa407-4.16-8.patch
c178e43d3f569086aee66ffaf28f22156bdb22144bdff7ffe4f7c20242abe73c  xsa407/xsa407-4.patch
eb9985afa38b1d2bffd6a48772a429fc0f88375cd3fc0b977f9a8a0981ab87b4  xsa407/xsa407-5.patch
aea9fb436a1f3dc38a874b8b3e4d0f1a82fb14c5e50c579a978aee1a83bfdb72  xsa407/xsa407-6.patch
cf1e9796dbaaedf1e3ba7efb830fe99dea8f09125d7ec7bd2a16b11cfc131aa6  xsa407/xsa407-7.patch
cc46f1da318dfa72b87bbc069bf448eed3d1b264281e3a7d9a6bad8f6519e8c3  xsa407/xsa407-8.patch
$

NOTE CONCERNING LACK OF EMBARGO
===============================

The disclosers did not authorise us to predisclose.
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLNotoMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZeiUH/jZsXrd1X9mzVrBaoQQckCtYtrM+9rYS1JbupDZx
Ca6P0zwKaX1uaDi/De/UCAbt4fCpE/xqqy9X5wMX0XUFJEhr74GKXDh/evzH7C/i
WxwNmoTio0Un5jw+aLlKGza7oSNYVKPgYjDim7iTMmWdzWauS6Ock3HQn2jkG0JL
nTarKFX2JjC2INiu6YssDS81nI6cPJAz+AB4FzzU6u/2loPZv5hxpYnrUsWlRaH1
87pAiGhi7gc9yhv9FTi3C/paBG/kioqQi/ahV5S/l2nlIR1xo97ewfStcdAsT5sl
XgFq0sKLamMti0Ens3tydrXVNeyfHq9ABlN2eOnufZNT8Kc=
=CEa6
-----END PGP SIGNATURE-----

**Download attachment "**xsa407.meta**" of type "**application/octet-stream**" (1366 bytes)**

**Download attachment "**xsa407/xsa407-1.patch**" of type "**application/octet-stream**" (5521 bytes)**

**Download attachment "**xsa407/xsa407-2.patch**" of type "**application/octet-stream**" (3502 bytes)**

**Download attachment "**xsa407/xsa407-3.patch**" of type "**application/octet-stream**" (3626 bytes)**

**Download attachment "**xsa407/xsa407-4.13-01.patch**" of type "**application/octet-stream**" (5069 bytes)**

**Download attachment "**xsa407/xsa407-4.13-02.patch**" of type "**application/octet-stream**" (4860 bytes)**

**Download attachment "**xsa407/xsa407-4.13-03.patch**" of type "**application/octet-stream**" (8358 bytes)**

**Download attachment "**xsa407/xsa407-4.13-04.patch**" of type "**application/octet-stream**" (6380 bytes)**

**Download attachment "**xsa407/xsa407-4.13-05.patch**" of type "**application/octet-stream**" (4572 bytes)**

**Download attachment "**xsa407/xsa407-4.13-06.patch**" of type "**application/octet-stream**" (2096 bytes)**

**Download attachment "**xsa407/xsa407-4.13-07.patch**" of type "**application/octet-stream**" (3343 bytes)**

**Download attachment "**xsa407/xsa407-4.13-08.patch**" of type "**application/octet-stream**" (1570 bytes)**

**Download attachment "**xsa407/xsa407-4.13-09.patch**" of type "**application/octet-stream**" (5054 bytes)**

**Download attachment "**xsa407/xsa407-4.13-10.patch**" of type "**application/octet-stream**" (3900 bytes)**

**Download attachment "**xsa407/xsa407-4.13-11.patch**" of type "**application/octet-stream**" (7893 bytes)**

**Download attachment "**xsa407/xsa407-4.13-12.patch**" of type "**application/octet-stream**" (2636 bytes)**

**Download attachment "**xsa407/xsa407-4.13-13.patch**" of type "**application/octet-stream**" (4926 bytes)**

**Download attachment "**xsa407/xsa407-4.13-14.patch**" of type "**application/octet-stream**" (5507 bytes)**

**Download attachment "**xsa407/xsa407-4.13-15.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.13-16.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.13-17.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.13-18.patch**" of type "**application/octet-stream**" (10871 bytes)**

**Download attachment "**xsa407/xsa407-4.13-19.patch**" of type "**application/octet-stream**" (4384 bytes)**

**Download attachment "**xsa407/xsa407-4.13-20.patch**" of type "**application/octet-stream**" (3045 bytes)**

**Download attachment "**xsa407/xsa407-4.13-21.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.14-01.patch**" of type "**application/octet-stream**" (3900 bytes)**

**Download attachment "**xsa407/xsa407-4.14-02.patch**" of type "**application/octet-stream**" (9426 bytes)**

**Download attachment "**xsa407/xsa407-4.14-03.patch**" of type "**application/octet-stream**" (2636 bytes)**

**Download attachment "**xsa407/xsa407-4.14-04.patch**" of type "**application/octet-stream**" (4926 bytes)**

**Download attachment "**xsa407/xsa407-4.14-05.patch**" of type "**application/octet-stream**" (5459 bytes)**

**Download attachment "**xsa407/xsa407-4.14-06.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.14-07.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.14-08.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.14-09.patch**" of type "**application/octet-stream**" (11097 bytes)**

**Download attachment "**xsa407/xsa407-4.14-10.patch**" of type "**application/octet-stream**" (4429 bytes)**

**Download attachment "**xsa407/xsa407-4.14-11.patch**" of type "**application/octet-stream**" (3076 bytes)**

**Download attachment "**xsa407/xsa407-4.14-12.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.15-1.patch**" of type "**application/octet-stream**" (5459 bytes)**

**Download attachment "**xsa407/xsa407-4.15-2.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.15-3.patch**" of type "**application/octet-stream**" (3582 bytes)**

**Download attachment "**xsa407/xsa407-4.15-4.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.15-5.patch**" of type "**application/octet-stream**" (11095 bytes)**

**Download attachment "**xsa407/xsa407-4.15-6.patch**" of type "**application/octet-stream**" (4449 bytes)**

**Download attachment "**xsa407/xsa407-4.15-7.patch**" of type "**application/octet-stream**" (3076 bytes)**

**Download attachment "**xsa407/xsa407-4.15-8.patch**" of type "**application/octet-stream**" (12470 bytes)**

**Download attachment "**xsa407/xsa407-4.16-1.patch**" of type "**application/octet-stream**" (5461 bytes)**

**Download attachment "**xsa407/xsa407-4.16-2.patch**" of type "**application/octet-stream**" (3462 bytes)**

**Download attachment "**xsa407/xsa407-4.16-3.patch**" of type "**application/octet-stream**" (3586 bytes)**

**Download attachment "**xsa407/xsa407-4.16-4.patch**" of type "**application/octet-stream**" (3356 bytes)**

**Download attachment "**xsa407/xsa407-4.16-5.patch**" of type "**application/octet-stream**" (11095 bytes)**

**Download attachment "**xsa407/xsa407-4.16-6.patch**" of type "**application/octet-stream**" (4449 bytes)**

**Download attachment "**xsa407/xsa407-4.16-7.patch**" of type "**application/octet-stream**" (3140 bytes)**

**Download attachment "**xsa407/xsa407-4.16-8.patch**" of type "**application/octet-stream**" (12475 bytes)**

**Download attachment "**xsa407/xsa407-4.patch**" of type "**application/octet-stream**" (3378 bytes)**

**Download attachment "**xsa407/xsa407-5.patch**" of type "**application/octet-stream**" (11155 bytes)**

**Download attachment "**xsa407/xsa407-6.patch**" of type "**application/octet-stream**" (4458 bytes)**

**Download attachment "**xsa407/xsa407-7.patch**" of type "**application/octet-stream**" (3187 bytes)**

**Download attachment "**xsa407/xsa407-8.patch**" of type "**application/octet-stream**" (12536 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29901: oss-security - Xen Security Advisory 407 v1 (CVE-2022-23816,CVE-2022-23825,CVE-2022-29900) - Retbleed

Whether data's in motion, at rest, or in use, confidential computing makes moving workloads to the public cloud safer, and can enhance data security in other deployments.

It's a question every enterprise faces: How comfortable do we feel moving sensitive data to the cloud, bearing in mind the associated security and privacy risks?

Though global cloud adoption is expanding rapidly, security and privacy remain top concerns. For example, the Cloud Security Alliance survey last year showed security and privacy to be the leading worry for 58% of 1,900 professionals involved in cloud deployments.

That is why inside many companies, tension continues to simmer between development shops that see the scalable, flexible public cloud as an ideal innovation engine and security gatekeepers whose risk intolerance has earned them a reputation as the Department of No.

But what if organizations could have greater assurance that their data is protected from hackers and other prying eyes? What if reluctance about moving sensitive data to the cloud was alleviated?

Such is the promise of an emerging shift in data security: confidential computing.

Confidential computing not only reassures enterprises about the safety of moving more of their workloads to the public cloud, it also can enhance data security in any type of deployment and offer a host of business benefits.

An explanation of what confidential computing is must start with a description of the three stages of the data life cycle.

**Data in Motion**

When users send data, it is encrypted while transmitting across networks. Whether the user is someone in a company sending data to the cloud or a consumer sharing their credit card information with an online retailer, that's true. Standardized encryption technologies such as TLS protect the data during its journey.

**Data at Rest**

This is the designation for passive data that is not being computed on and is sitting in storage — records in databases, files on hard disks, etc. Organizations use disk encryption and other security technologies to safeguard data at rest.

**Data in Use**

This is where data is computed-on in some way. To do that, data must first be moved from the hard disk into system memory — aka RAM — and become unencrypted. At this stage, data becomes vulnerable to compromise due to a potential vulnerability within the millions lines of code that comprise the cloud provider’s system software operating system, hypervisor, firmware, or a cloud administrator. This is a large attack surface, and this is what consumers who move their confidential data from an on-premises setup to a public cloud worry about.

Confidential computing is an extra layer of security that extends encryption protection to data during runtime. It achieves this by running workloads in isolated hardware-encrypted environments, or trusted execution environments, that prevent unauthorized access or modification of applications and data while in use.

This eases a set of potential security threats in moving data to the cloud, such as a hypervisor vulnerability allowing other virtual machines to leak private data, or a rogue cloud provider employee with access to a company's physical machine backdooring a workflow.

There's a lot of industry buzz about confidential computing for a few reasons. The first is obvious: The rising number of cyberattacks is spurring a need for better data security.

Second, technologies that enable confidential computing, such as security features in operating systems and on CPUs, have achieved industrial strength, as with AMD-SEV and Intel SGX.

Third, the major public cloud providers, in particular Google Cloud Platform and Microsoft Azure, have been beefing up their confidential computing capabilities.

A note on that third point: Though much of the discussion about confidential computing has centered on its usefulness in securing sensitive data as it moves to the public cloud, its advantages are equally compelling and relevant for protecting data in use in many more environments, namely edge and on-premises deployments.

The space keeps heating up. For example, in May, AMD announced new confidential computing virtual machines for Google Cloud.

Confidential computing also has the support of a project community at the Linux Foundation, with commitments from nearly 40 member organizations and contributions from several open source projects.

Confidential computing has significant real-world benefits. Take financial services, for example. In that industry, business processes such as anti-money laundering and fraud detection require financial institutions to share data with external parties.

With confidential computing, they can process data from multiple sources without exposing customers' personal data. They can run analytics on the combined data sets to, say, detect the movement of money by one user among multiple banks, without introducing security and privacy problems.

By unlocking data computing scenarios that weren't possible before, confidential computing should be an important security and privacy advance for years to come.

How Confidential Computing Locks Down Data, Regardless of Its State

Chris Hallenbeck, CISO for the Americas at Tanium, discusses the impact of geopolitical conflict on the cybersecurity insurance market.

Chris Hallenbeck, CISO for the Americas at Tanium, discusses the impact of geopolitical conflict on the cybersecurity insurance market.

Author Chris Hallenbeck is CISO for the Americas at Tanium

In the words of former FBI director, Robert Mueller, “There are only two types of companies: those that have been hacked and those that will be.”

This unavoidable truth, coupled with growing mainstream awareness and the ever-increasing frequency of attacks, has led to a steady uptick in cyber insurance in recent years. In fact, insurance clients opting for cyber coverage rose from 26 percent in 2016 to 47 percent in 2020, according to reporting by the U.S. Government Accounting Office (GAO).

Given the current conflict in Ukraine, the insurance industry is facing increased pressure and concerns that a spike in attacks will lead to a surge in claims. While it’s undeniable that nation-state threat actors have stepped up their game to capitalize on the chaos brought on by the Ukraine-Russia conflict, cyber insurance is not the answer to the growing threat.

**Rethinking Cyber Insurance**

When cyber insurance entered the scene in the late 1990s, the restrictions were few and the coverage generous, but that trend has shifted in recent years. There is a strong tendency across industries to approach a problem differently as soon as we put the word “cyber” in front of it. Treating “cyber” as different and in some ways wholly detached from traditional fraud obfuscates the fundamentals.

Aspects of the insurance industry initially fell into that trap. However, we’re now seeing a shift back to traditional risk measurement, with underwriters approaching cyber insurance in a manner similar to physical insurance – by assessing where the biggest risks are and determining whether they should exclude certain risks from coverage, as well as establishing a bar to define what constitutes reasonable care. At the same time, we’re seeing coverage premiums skyrocket. By the end of 2020, more than half of cyber insurance policy holders saw the price of their coverage rise by as much as 30 percent, according to GAO.

While the current conflict in Ukraine will likely lead to a rise in cyber insurance purchases, the harsh reality is that most coverage will not protect enterprises from nation-state attacks or even ransomware. In fact, most cyber insurance policies already include clauses to exclude acts of war, and in the aftermath of the current struggle, we’ll likely see further refinement of language and an expansion in the number of coverage exclusions as insurers look to hedge their risks. With insurance companies tightening their purses and attackers doubling down their efforts, what’s the answer for organizations looking to mitigate risk?

**Mitigate Risks, Not Threats**

The bottom line is that if you’re buying cyber insurance only because you expect to experience a cyberattack and are unsure whether you have adequate controls in place or the right planning around disaster recovery, you aren’t investing as you should be. The first step before buying a cyber insurance policy should be a risk assessment.

You can’t do the math on whether insurance is worth the cost without determining the anticipated impact of a cyber incident – and math requires numbers, which means risk needs to be clearly quantified. An in-depth analytical approach is likely to be the standard moving forward, with insurers themselves completing assessments to determine if they would agree to underwrite a policy.

**When Insurance Makes Most Sense**

That said, insurance is an important component of risk management. Where a risk might be high impact but low probability that it will happen, insurance makes sense. Intertwine that with the cost of mitigating the risk versus the likelihood that it will happen, and you’ll find high mitigation costs with low likelihood make insurance a smart decision.

For many organizations, there are basic steps they should take to shore up their security – the standard duty of care – which must be addressed. If a risk assessment reveals glaring holes in your security stack, it’s time to get back to basics and improve cyber hygiene. Given that many IT departments are understaffed and under-resourced, it’s important to automate risk monitoring wherever possible to quickly identify and remediate threats continuously and in real-time.

But deploying more point solutions across your organization won’t get the job done unless you can see and control all that technology whenever and wherever. Consider consolidating your security tools where possible to increase visibility across your entire IT estate. Once you have undertaken a thorough risk assessment, established a strong security foundation, and conducted a clear cost-benefit analysis – which requires open communication from the CISO to the CFO and even the board – only then should you consider investing in cyber insurance.

**Cyber Insurance Fine Print**

As the Russia-Ukraine war wages on and other nation-states and criminals exploit the chaos, we’ll likely continue to see the interest in cyber insurance grow, but I’d wager the companies signing up for policies will be the ones who fail to read the fine print.

Just as we saw a clarification of cyber insurance policies in the wake of NotPetya, the future will usher in more review and rewriting of exclusion clauses. With insurers unlikely to pay out when it comes to ransomware attacks in times of war, organizations must focus instead on proactive cyber hygiene.

Just as you can generally avoid a car accident if you maintain your car and drive safely – by getting a clear picture of your risk and taking steps to address it, you can mitigate the likelihood of a devastating cyberattack. After all, the best insurance against a cyberattack is not a policy, but a strong security foundation.

**_Infosec Insiders columnist Chris Hallenbeck is CISO for the Americas at Tanium. He provides security leadership and operational insight gained from over 20 years in both public and private sector._**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

**Register Now for this On-demand Event**: Join Threatpost and Intel Security’s Tom Garrison in a Threatpost roundtable discussing innovation enabling stakeholders to stay ahead of a dynamic threat landscape. Also, learn what Intel Security learned from their latest study in partnership with Ponemon Institue. **WATCH HERE**.

How War Impacts Cyber Insurance

Victims instructed to make a phone call that will direct them to a link for downloading malware.

Victims instructed to make a phone call that will direct them to a link for downloading malware.

A new callback phishing campaign is impersonating prominent security companies to try to trick potential victims into making a phone call that will instruct them to download malware.

Researchers at CrowdStrike Intelligence discovered the campaign because CrowdStrike is actually one of the companies, among other security firms, being impersonated, they said in a recent blog post.

The campaign employs a typical phishing email aiming to fool a victim into replying with urgency—in this case, implying that the recipient’s company has been breached and insisting that they call a phone number included in the message, researchers wrote. If a person targeted calls the number, they reach someone who directs them to a website with malicious intent, they said.

“Historically, callback campaign operators attempt to persuade victims to install commercial RAT software to gain an initial foothold on the network,” researchers wrote in the post.

Researchers likened the campaign to one discovered last year dubbed BazarCall by the Wizard Spider threat group. That campaign used a similar tactic to try to spur people to make a phone call to opt out of renewing an online service the recipient purportedly is currently using, Sophos researchers explained at the time.

If people made the call, a friendly person on the other side would give them a website address where the soon-to-be-victim could supposedly unsubscribe from the service. However, that website instead led them to malicious download.

CrowdStrike also identified a campaign in March of this year in which threat actors used a callback phishing campaign to install AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware, CrowdStrike researchers said.

****Impersonating a Trusted Partner****

Researchers did not specify what other security companies were being impersonated in the campaign, which they identified on July 8, they said. In their blog post they included a screenshot of the email sent to recipients impersonating CrowdStrike, which appears legitimate by using the company’s logo.

Specifically, the email informs the target that it’s coming from their company’s “outsourced data security services vendor,” and that “abnormal activity” has been detected on the “segment of the network which your workstation is a part of.”

The message claims that the victim’s IT department already has been notified but that their participation is required to perform an audit on their individual workstation, according to CrowdStrike. The email instructs the recipient to call a number provided so this can be done, which is when the malicious activity occurs.

Though researchers were not able to identify the malware variant being used in the campaign, they believe with high likelihood that it will include “common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion,” they wrote.

****Potential to Spread Ransomware****

Researchers also assessed with “moderate confidence” that callback operators in the campaign “will likely use ransomware to monetize their operation,” they said, “as 2021 BazarCall campaigns would eventually lead to Conti ransomware,” they said.

“This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches,” researchers wrote.

Further, they stressed that CrowdStrike would never contact customers in this way, and urged any of their customers receiving such as email to forward phishing emails to the address csirt@crowdstrike.com.

This assurance is key particularly with cybercriminals becoming so adept at social engineering tactics that appear perfectly legitimate to unsuspecting targets of malicious campaigns, noted one security professional.

“One of the most important facets of effective cybersecurity awareness training is educating users beforehand on how they will or will not be contacted, and what information or actions they may be asked to take,” Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, wrote in an email to Threatpost. “It is critical that users understand how they may be contacted by legitimate internal or external departments, and this goes beyond just cybersecurity.”

‘Callback’ Phishing Campaign Impersonates Security Firms

A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions), SICAM GridEdge Essential Intel (All versions < V2.7.3), SICAM GridEdge Essential with GDS ARM (All versions), SICAM GridEdge Essential with GDS Intel (All versions < V2.7.3). Affected software uses an improperly protected file to import SSH keys. Attackers with access to the filesystem of the host on which SICAM GridEdge runs, are able to inject a custom SSH key to that file.

%PDF-1.5 %���� 56 0 obj << /Length 2530 /Filter /FlateDecode >> stream x��ZKs�8��W�HU�\`���hb���q�䤶�90ms�אR���� � )ъ

CVE-2022-34464

The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

In March, a North Korean APT siphoned blockchain gaming platform Axie Infinity of $540M.

Axie Infinity, a popular destination for 3 million traders of in-game collectible non-fungible tokens, reportedly lost $540M in cryptocurrency in a recruiting-themed spear phishing attack. The perpetrators of the crime are believed to be an advanced persistent threat group with ties to North Korean.

The report comes from the publication The Block, which said on March 23rd hackers took control of private keys tied to four validator nodes. Those nodes, according to the report, belong to the Ronin Network – which Axie runs on. The second node belongs to the Axie DAO – a decentralized organization that supports the game’s ecosystem.

A private key, similar to a password, is a secret number that is used in blockchain cryptography. Validator nodes are computers that, together, maintain a blockchain network by, among other things, validating and processing transactions.

Ronin is supported by nine validators so, by controlling five, the attacker possessed majority control over the network. Axie and Ronin are developed by Sky Mavis.

“Axie systems relied on a relatively small number of validators,” Ryan Spanier, vice president of Innovation at Kudelski Security, explained to Threatpost via email. “This is not a typical practice for public chains, although we do see this in permissioned chains similar to Axie,” he said.

The problem wasn’t just that there were too few validators, but that those validators were all concentrated in one place. “The validators were not well distributed between independent organizations,” Spanier continued, “which means the attacker only truly had to compromise one organization. Essentially, they had a decentralized blockchain model but were vulnerable to a centralized threat vector.”

With majority control, the attackers were able to effectively write checks to themselves, Spanier said. They stole 173,600 Ethereum (ETH) and 25.5 million USD Coin (USDC) in all. At the time, that added up to approximately $540 million  in value.

The following month, the U.S. Treasury Department tied the Ethereum wallet address behind the attack to North Korea’s Lazarus Group. What wasn’t clear until this week is how did the attackers gain control over those validators?

**A Malicious Job Offer**

On March 30, the Ronin Network newsletter stated that “all evidence points to this attack being socially engineered, rather than a technical flaw.” The disclosure did not elaborate further. Now two anonymous sources have come forward who claim “direct knowledge of the matter” are share with reporters at The Block the unconfirmed inside story about what happened.

Sources told The Block earlier in the year some Sky Mavis staff were approached with job opportunities by recruiters on LinkedIn. One engineer, following “multiple rounds of interviews,” was offered a job “with an extremely generous compensation package.” The offer came in the form of a PDF which, once the engineer clicked to open, downloaded spyware to his computer. From there, the attackers moved laterally into Ronin’s IT systems, allowing them to steal those coveted validator private keys, according to The Block.

Mollie MacDougall, director of threat intelligence at Cofense, put it bluntly in an email to Threatpost. “Blockchain platforms should do what every other organization should do: implement an effective phishing defense program that combines technology with the human layer of security.”

“Imagine only one of those employees had reported that email to Axie’s security team. Then imagine that the team could have identified, removed, and notified any other recipients of that email. It could have stopped the attack early in its tracks.”

Popular NFT Marketplace Phished for $540M

Fraudster innovation will continue to drive successful phishing, business email compromise, and socially engineered attacks, researchers say.

Despite ratcheted-up efforts to prevent account takeover, fraudsters are cashing in on a range of online payment fraud schemes, which researchers predict will cost retail organizations more than $343 billion over the next five years. 

Physical good purchases are loss leaders, making up 49% of online payment fraud, driven in large part by developing markets with little address verification, according to a new Juniper Research report. 

"Fundamentally, no two online transactions are the same, so the way transactions are secured cannot follow a one-size-fits-all solution," Nick Maynard, the report's author, explained in a statement along with the latest online payment fraud findings. "Payment fraud detection and prevention vendors must build a multitude of verification capabilities, and intelligently orchestrate different solutions depending on circumstances, in order to correctly protect both merchants and users." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel